CVE-2026-40612: jq Stack Overflow Lets Attackers Crash JSON Processor

Executive Summary

CVE-2026-40612 is a stack overflow vulnerability in jq, the widely used command-line JSON processor, affecting versions 1.8.1 and earlier. The flaw resides in the jv_contains function, which recursively traverses nested arrays and objects without enforcing a depth limit. An attacker can supply a crafted, deeply nested JSON input — built programmatically using jq's reduce operator — to exhaust the C stack, causing the application to crash. The vulnerability was disclosed via a GitHub security advisory on May 12, 2026, and carries a CVSS v3.1 base score of 7.5 (high severity). As of this writing, no patch has been released.

Technical Analysis

The jv_contains function in jq's runtime is designed to check whether one JSON value is contained within another. According to the advisory published on the jqlang/jq GitHub repository, the function recursively descends into nested arrays and objects with no bound on recursion depth. While jq's built-in JSON parser caps input nesting at 10,000 levels — a safeguard against malformed input — the jv_contains function can be reached via jq's own reduce operator, which allows programmatic construction of deeply nested structures that bypass the parser's depth limit.

An attacker who can supply a jq filter or input file that triggers jv_contains on a sufficiently nested structure will cause the C runtime stack to overflow. Stack overflows in C programs typically result in a segmentation fault (SIGSEGV), terminating the process. In multi-tenant or automated environments where jq processes untrusted JSON — such as CI/CD pipelines, log aggregation systems, or API gateways — this can be exploited for denial of service.

The advisory notes that the issue was discovered internally by the jq maintainers. No proof-of-concept exploit has been published publicly, but the technical details are sufficient for a motivated attacker to reproduce the crash. The vulnerability is classified under CWE-674 (Uncontrolled Recursion).

jq is a dependency in countless Linux distributions, container images, and software stacks. Its ubiquity means the denial-of-service surface is broad, though exploitation requires the ability to supply crafted input to a running jq instance.

Mitigations & Recommendations

As of May 12, 2026, no patched version of jq has been released. The jq maintainers have acknowledged the issue and are working on a fix. Defenders should take the following steps in the interim:

• Avoid processing untrusted JSON with jq in automated or exposed contexts. If jq is used in a CI/CD pipeline or web service that accepts external input, consider replacing it with an alternative JSON processor (e.g., yq, dasel, or a language-native JSON library) until a patch is available.
• Implement input validation at the application layer to reject deeply nested JSON structures before they reach jq. A nesting depth limit of 100 or less is a reasonable default for most use cases.
• Monitor for crashes in systems that rely on jq. Unexplained segmentation faults in jq processes may indicate exploitation attempts.
• Apply the patch as soon as it is released. Subscribe to the jqlang/jq repository for updates.